Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC

Preamble:

In talking to Steve Ragan over the time between the Sony initial hack and now he confided in me that he had some emails and data that may come to bear on the whole attribution drum that I have been banging on. As he is a friend I cajoled him into sending me the data (THANKS STEVE-O!) and lo and behold it’s got some interesting twists for all those out there playing the home attribution game! As you all likely have seen on my Twitter feed and here I am not a real fan of the whole attribution thing to start and now with everyone screaming CYBERWAR NOW! I have been all the more disgusted with the companies all falling over each other for air time on CNN and CBS to conjecture their own theories cum free advertising.

I am writing this post to offer counter narratives to all of the various pundits and companies offering their services while selling you the attribution on a case that they have no real evidence on other than that which the adversary has given them. This is an important fact that most seem to fail to comprehend too. Like The Gruqq say’s;

…. And I am with him here. The adversary or adversaries have had control of the situation all along. Think about it, they completely owned SONY for such a long time and at a level where trusting any data that comes from the incident response has to be at least nominally considered to be tampered with or suspect. So the FBI calling it as being DPRK at least has the illusion of there being other HUMINT or SIGINT that the NSA may have provided that shows traffic from some point leaving Sony, going through an intermediary system(s) and then on to a known dead drop that has been or is controlled by the DPRK or China… Right? Well, maybe, you see the government has not said overtly to my knowledge that they have CLASSIFIED data that is too “sensitive” to destroy sources and methods to actually release to the public.

At the end of the day though I feel that attribution really is a nation state thing until such time as the courts all catch up on this. Attribution is hard as the Gruqq says and it surely is but the reality is that unless you can prove something unequivocally it’s all just speculation right? Speculation is often something you will hear being yelled by lawyers in a courtroom on TV as something for the judge to strike from testimony, so what good is it to us all in this scenario? Well other than titillation for the churnalistas right? You see, Attributing a hack is not important. Seeing how they did something and how the company that got hacked was unprepared is a lot more important because you can in fact learn from those things and fortify against it happening again or at all.

Alas though, people are too focused on the who and not so much on the how and that makes me have a frowny face. Anyway on to the post here. Prepare for theory hole poking, counter narratives, and general bitch slapping of those who have a serious case of confirmation bias!

Stylometry & Obfuscation

First off let’s talk about Stylometry which is a neat little tool in the attribution tool box. Now it is not a real hard science as some might suspect and I am not sure just how much weight it is given in a court much like Graphology. In the case of the Sony hack this has of late been trotted out by the likes of Jeff Carr and his little band of scientists. Out of the pastebin posts from GOP he and his crew have determined that the writer(s) of the posts were not at all Asian but in fact Russian! Oh really? Out of a sampling of pastes with what seems to be deliberately bad “engrish” and sourced from pastebin you are going to go on national and local TV to attribute this? That is some advertising chutzpa!

It was Jeff and his TV appearances that set me off on the Stylometry and thus my chat with Steve. I wanted to see all the emails that he had from the GOP to gauge all of the language. What came to me from Steve was the usual series of pastes that we all saw but one email that had not been released to the public. The email is a response to Steve from questions he had sent them about who they are and what this was all about. Below, you can see the response and I have marked out particularly interesting areas of sytlometry (blue) as well as notional or attributional statements by the GOP themselves about their ethos and politics (red)

The overall thing I want you all to comprehend though, is that stylometry is just as useless as attribution on the whole. This is specifically the case with the Sony hack and trying to attribute who may have hacked them. There are signs of deliberate tampering of language in this email and because it is more than just a quick paste with links there is a narrative that emerges where you can see the writer go back and forth attempting to obfuscate their knowledge of English as well as perhaps cover any tell tale evidence that they speak it as a first language.

In the end the probative quality of this evidence, even here is mostly useless but I wanted to make a point. Oh, and I almost forgot. Jeff and his team were working with less than the usual amount of text needed to really perform a stylometry of merit so there is that too. Maybe this little ditty will help them.

Subject:

Our answers to your questions

From:

“nicole.basile@hushmail.com” <nicole.basile@hushmail.com>

Date:

11/30/2014 09:09 AM

To:

Steve Ragan <sragan@cxo.com>

Hi, Many consider us as a small group consisting of only several hackers, but it is not true. We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state. Our organization continues to grow. Our philosophy is peace and equality of the world. Our main effort is to take care of neighbors in difficulties and to protect human rights of the world. We are just unknown to the public, but many have seen us. In recent years, Sony and Sony Pictures frequently brought damage to many people and preyed on the weak through terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring. There are some victims of them among us. Nowadays Sony Pictures is gonna prey on the weak for their own benefits with another plan of indiscriminate restructuring. This became a motive of our action. We required Sony Pictures to stop this and pay proper monetary compensation to the victims. Followings are our answers to your questions: 1) Our aim is not at the film “The Interview” as Sony Pictures suggests.But it is widely reported as if our activity is related to “The Interview”. This shows how dangerous film “The Interview” is. “The Interview” is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money. The news with “The Interview” fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures. 2) We demanded Sony Pictures to stop indiscriminate restructuring which brings forth innocent victims and to pay proper monetary compensation to the victims. Sony and Sony Pictures neglected our repeated warning and chances. They didn’t even show their some faith to us. We think such a shameless company doesn’t need to exist. We won’t give up this attack unless Sony Pictures collapse to the end. We have already started the efforts on full scale. We will release all data of the company as we proclaimed. Sony Pictures is surely to collapse unless it kneels down to us. We have another plan to correct the incidents of Michael Brown. Thanks

Stylometry Interesting Bits:

The writer uses the contraction/slang of “nowadays” “gonna” correctly in a grammatically correct sentence

The writer then uses “fully acquaints us” as a term for familiarity on a topic instead of another contraction

Neighbors instead of Neighbours (UK)

The switching back and forth between what seems to be a native speaker of American English and perhaps a non english speaker like this was crowd sourced or obfuscated deliberately.

Assessing this one email as the most whole of communications that has not been released in it’s entirety according to Steve show’s some real dissonance in the creation of the email and perhaps that it was not a sole writer. This all however is speculative and as I mentioned above little more than a fun diversion. It should not be taken as a real indicator of anything on whoever hacked Sony and that is what the media needs to realize along with the rest of the public. It does not matter what nationality anyone is here. It could be a conglomerate of people like they (GOP) claim. It could be a group either paid or just pissed off.. It doesn’t matter! What does matter is that Sony got hacked and HOW they got hacked.

Parsing The Language of Politics and Rhetoric:

Now what is far more interesting and perhaps germane to the whole whodunnit of the Sony hack is the language and ideals that the hackers put out there as to why they were doing what they were doing. I have highlighted those passages in (red) Once again, attribution here is not really important but this is interesting as well as may lend to counter narratives to all of the claptrap in the news cycle now. So let me prize out some of what the GOP was saying here in the email.

They claim they are international and much like Anonymous but come off more like The Illuminati

They claim Sony had been trodding on human rights and had done damage to people they were trying to help (preying on the weak)

They want reparations to victims and for Sony to stop whatever they perceive them to be doing

They use the term “restructuring” in reference to victims and compensation

They claim they made “repeated warnings” to Sony on this

Then they throw in the Michael Brown notion which seems to be just a throw away

Interestingly GOP at the start claimed that they had no impetus against Sony concerning “The Interview” except to say; “Sony Pictures produced the film harming the regional peace and security and violating human rights for money.” which is interesting in and of itself since the whole debacle has bloomed into a cyber war between DPRK and the US over that turd of a film. So do we take the GOP at face value here and accept that they were generally upset about Sony’s behavior on rights issues as well as the care of employees? Let’s take a look at some counter narratives to the current assumptions in attribution on the news today shall we?

Alternate Narratives and Attribution:

Let’s just for the sake of argument believe that GOP was, at the time of the November 30th email to Steve, telling the truth about their motives for the most part. There is a full narrative in the email about how Sony was a bad and greedy corporation that must be punished for their actions. If we go along with this line of thought we have the following interesting tidbits from a quick Google-Fu session that lend credence to the argument.

As you can see the restructuring has been in the news for a long time and the numbers of employees taking the hit has been upward of 10K with many of them coming from areas of manufacturing. The link just above here shows that the primary target in February of 2014 was the Vaio laptop line. Many of the parts for these were made in other places including Korea and China as well as Japan. In general though, you can see from the rhetoric that layoffs and perhaps pay as well as care about employees might factor into what GOP was saying. This then leaves me with the thought that perhaps the culprits here were in fact upset about the restructuring as well as may not in fact be American in origin. Though the layoffs did touch the US the primary areas where things were cut was actually in Asia to start with.

Suppose for a minute that we take GOP at their word and assume *assuming is bad usually but hey, let’s run with it* that the attackers are in fact responding to Sony’s cuts. Let’s also assume that they are from the Asia region and in fact could be from Japan as well. Tie that in to the fact of the Sony Japan IP’s coded in one of the malware variants and that becomes more of a possibility and you have an alternate narrative. If we take them at their face value, GOP was reacting to Sony’s attempts to make themselves more profitable at the cost of people’s jobs. Jobs mind you that in Japan are hard to come by to start right? As well, the jobs in China and Korea might also be harder to come by when you think about it when a giant conglomerate pulls out. Add to this Japan’s politics and tensions in the region (as they mention with the movie as well) then you can further postulate that they are telling the truth about their motives.

So with all that said, I would really like to see what those threats to Sony were as well as their demands. None of which I think anyone has seen right? So maybe Sony can drop those emails on the net or something…. HAHA.. Right. I also think it is rather amusing that everyone has just assumed that all of this is about the USA and a movie to start. Talk about the Streisand effect! Is it so inconceivable that “The Interview” as GOP states had nothing to do with this at all? Of course once the GOP failed to get what they wanted from Sony SPE (which was the weakest point in the chain security wise) got hit. It is also interesting to note that no other division of Sony has mentioned any hacking at all until the recent Lizard strikes against their PSX network. Why is that exactly? One would assume that the networks are all connected at some level.

So let’s boil it down…

GOP did it because of the restructuring

Their perceived beefs against Sony because of layoffs etc that are stressing people in regions like China and Korea (both of which have long political histories of tensions with Japan)

SPE was really just low hanging fruit and had been hacked along with PSX numerous times making it a prime target

SPE was not secure because they failed to secure things

GOP hit them and demanded reparations which were not paid

GOP began dropping data and trying to get that money from SPE/Sony

Once Variety had put DPRK on the map with the Interview the idea was there for the taking once things started going south and the GOP used it

I am not attributing this to anyone in particular. It could be anyone but at least there may be some motive to it now per their own communication early on. Could it be DPRK? Sure. Could it be Lizards? Sure. Could it have been Colonel Mustard? Sure! Attribution on this is just pointless. Well, unless you have services to sell or want to use the notion in your political machinations that is. However, here is my counter narrative..

A group of persons hacked Sony because they were upset with their actions cutting jobs. They likely were not some 40 year old woman who got laid off from being an assistant accountant at SPE. (oh and yeah, many of those jobs were technical people.. just sayin)

How bout them apples?

Attribution As A Weapon and Marketing Tool:

I have said it numerous times online already but let me repeat it now. Attribution is mostly useless. It is really only useful as a naming convention at the most to describe a group acting in a particular way when they attack. That’s really it and all it should ever be. Unfortunately it has become the new hotness with companies like Norse, Mandiant, Crowdstrike and their like. They are selling themselves on actors not so much on real use-able data for the common corporation. Focusing on stupid names for groups and trying to sell people on having the inside skinny on actors in foreign countries is just snake oil. Give us the feeds on how they act and who they seem to be attacking and be done with it. By trying to horn into this whole SPE thing with all their theories, getting free advertising time on major and minor networks makes me sick.

Another factoid for you all should be on the notion of using attribution as a weapon. The US Government has shifted into the naming and shaming business on the backs of the Mandiant’s of the world with Tao at it’s head crying CHINA CHINA CHINA! for years now. China may or may not be behind all of the hacking, it’s all subject to forensics and evidence that can be hard to say is pristine like I point out above with the Gruqq quote. In the case of the SPE debacle we have yet to see anything out of our government as to evidence that is convincing and they have talked about proportionate responses. This is hubris at it’s worst and why I wrote my first post on SPE. If we are going to go to a cyber war footing we had better be able to provide proof to the world that it was in fact DPRK. So far we have nothing but “We are the government.. Trust us” and that no longer works.

The worst thing of all is all the marketing that is being generated by this incident. I have seen companies take very little in the way of evidence and spin stories that they are telling to the media and the people as “the truth” when they have no real idea. of what the truth is. This industry has jumped the shark and while I personally saw my post and others make a dent in the narrative that the media was playing for us all, it did nothing to deter the FBI and the government from blaming the DPRK and seeking to respond in kind. Since then we have seen DoS attacks against the “hermit kingdom” including my own incident where I Nmapped them and they DoS’d me for a while. It’s all a fucking nightmare and I am at my wits end trying to inject any sense into the derpstream out there today.

Maybe I can just become a gentleman farmer and goat herd to a flock of narcoleptic goats. At least I will be amused by their running and passing out while the world burns in cyber flames.

K.

UPDATE: I am told that the email above was public so there is that. I guess perhaps people have studied it in its totality? Meh, the post still stands.

Rate this:

Share this:

Like this:

Related

4 Responses

Personally I don’t see any value in attribution except in the case where it might provide intel on WHEN an attack might occur (and possibly how if specific enough – which it rarely is.) It’s better to assume EVERYONE is after you by ANY means.

I don’t think the linguistics analysis was necessarily all that bad, but certainly it’s nothing more than circumstantial. But since the publicly available evidence released by the FBI is also circumstantial, it certainly is appropriate to put it out there.

I think Norse’ investigation makes more sense, but since they haven’t released sufficient detail either, it’s also non-conclusive. I do think it’s likely that a hacker group rather than just one insider was involved, but it’s also quite possible that an insider helped. It’s also possible another hacker group instead of an insider helped – someone at Lizard Squad has claimed this in an interview.

Meanwhile the FBI has modified its stance, claiming that North Korea may have contracted out the hack. This indicates to me that they’re not nearly as confident as to NK’s provenance as they’ve said, but nonetheless they’re doubling down on it by claiming Norse’ evidence is “narrow” – which seems ironic given the FBI’s rush to judgement.

ITT: “Attribution is too difficult so you shouldn’t listen to anybody who attempts it because they’re just in it for the free publicity. But I think it was probably a group of disgruntled, ex-SPE employees based on a single data point that has nothing to do with the actual incident.”